config/initializers/security_headers.rb

	security_headers.rb revision 0c6ce6e1864f25f9832d6e7499a3d7457bfbc622
::SecureHeaders::Configuration.default do |config|
  config.hsts                   = 'max-age=99; includeSubdomains'
  config.x_frame_options        = 'SAMEORIGIN'
  config.x_content_type_options = 'nosniff'
  config.x_xss_protection       = '1; mode=block'

  config.cookies = {
    secure: true,
    httponly: false,
    samesite: {
      strict: true,
    },
  }

  # By default, load resources only from own origin.
  # For CSS, allow styles from style elements and attributes for GWT.
  config.csp = {
    default_src: %w('self'),
    style_src:   %w('self' 'unsafe-inline'),
    script_src: %w('self'),
    img_src: %w('self'),
    connect_src: %w('self'),
    font_src: %w('self'),
    media_src: %w('self'),
    object_src: %w('self'),
    child_src: %w('self'),
  }
end